The vulnerabilities discovered in MyBB forums with versions between and including 1.8.16 and 1.8.25 are related to defective regexes, specifically Nested Auto URL persistent XSS (CVE-2021-27889) and Theme properties SQL injection (CVE-2021-27890). The first vulnerability enables any unprivileged forum user to embed Stored XSS payloads into threads, posts, and private messages, while the second vulnerability leads to Remote Code Execution (RCE) through a sophisticated attacker-developed exploit that can be triggered by any user with an active session in the administrator dashboard. These vulnerabilities are due to issues with MyBB's custom implementation of regexes and HTML rendering, which can lead to nested HTML tags being rendered, allowing attackers to craft malicious payloads. The MyBB team has acknowledged both vulnerabilities and released patch version 1.8.26 to address them.